Signing with Code Certificate from COMODO ?

Hi,
does anyone have some experience with a Code Signing Certificate from COMODO ?
I exported the certificate from Chrome or IE and tried the signing for a ja file,
but get:
jar signed.
Warning:
The signer's certificate chain is not validated.
Can anyone help me ?
Many thanks.

According to tzengs suggestion I tried to export the certificate again from firefox using "backup all" instead of "backup" with no effect.
One thing which I am still not sure of:
Can my client give me a p12 certificate which I can use as it is to sign my application using the provided password or do I have to process this certificate first?
Depending on the answer to this question I need to take different action:
YES: I need to tell my client to export the certificate in a different manner in order to "create the complete chain"
NO: The certificate from my client is fine but I still need to figure out how to change the certificate so that I don't get the error.
Thanks for your help.

Similar Messages

  • Signing with p12 certificate from client

    Hy there
    Our client provided us with a p12 format certificate and a password for signing AIR Applications.
    When I tried to sign the application in question with the certificate I got the following Error:
    Unable to build a valid certificate chain for the signer.
    What would google do in this situation?
    According to http://www.globalsign.com/support/root-certificate/osroot.php I did the following:
    Install the certificate in Internetexplorer
    Install the GlobalSign ObjectSign CA in Firefox
    Export a new p12 certificate from firefox
    Sign the application again with the new p12 certificate
    Still getting the same error!
    Install the new p12 certificate in Internetexplorer
    Again exporting the cert in Firefox
    and so on...
    No matter what I tried I still got the same error. I am now wondering whether our client needs to sign the application, but this does not seem to make sense since I have a p12 certificate and a password...
    I really would appreciate any help on this matter.
    Kind regards

    According to tzengs suggestion I tried to export the certificate again from firefox using "backup all" instead of "backup" with no effect.
    One thing which I am still not sure of:
    Can my client give me a p12 certificate which I can use as it is to sign my application using the provided password or do I have to process this certificate first?
    Depending on the answer to this question I need to take different action:
    YES: I need to tell my client to export the certificate in a different manner in order to "create the complete chain"
    NO: The certificate from my client is fine but I still need to figure out how to change the certificate so that I don't get the error.
    Thanks for your help.

  • What does this mean and how do I fix it? Error ITMS-9000 "Invalid Code Signing The executable ´viwer.app/ viewer´ must be signed with the certificate that is contained in the provisioning profile"

    What does this mean and how do I fix it? Error ITMS-9000 "Invalid Code Signing The executable ´viwer.app/ viewer´ must be signed with the certificate that is contained in the provisioning profile"

    If you had Firefox save your Yahoo password, first try deleting that here:
    orange Firefox button ''or'' classic Tools menu > Options > Security > "Saved Passwords"
    The "signed out" message seems to be related to how Yahoo authenticates you. Some users have reported that disabling automatic proxy detection solves the problem, and it also resolves an issue of getting logged out every few minutes, if you have ever experienced that.
    To make the change:
    orange Firefox button ''or'' classic Tools menu > Options > Advanced
    On the "Network" mini-tab, click the "Settings" button, then choose "No Proxy" and OK your way back out.
    If your work connection requires you to use a proxy server, try the "Use system settings" option instead.
    Does that help?

  • Jars can't be signed with different certificates---even by Sun?

    I am deploying an application which uses the following jar files:
    com.example.application.jar
    com.example.support.jar
    javax.activation.jar
    javax.mail.jar
    The latter two are jars signed from Sun, yet JWS complains that the jars have been signed with different certificates. I'm forced to unpack the Sun jars and repackage them,signing them with my own certificate.
    Isn't this a little restrictive? Shouldn't jars signed by Sun be exceptions to the "all jars signed by the same certificate" requirement?
    Garret

    Thanks! The JNLP 1.5 MR specification is a bit opaque about exactly how to do this, but the following site has an example that helped:
    http://java.sun.com/j2se/1.5.0/docs/guide/javaws/developersguide/faq.html
    The example didn't mention whether I can request all permissions for the component extension, but I suppose I can. Nothing seems to indicate whether I can have component extensions reference other component extensions (JavaMail requires JAF, for example), but it seems to work.
    By requesting full permissions for the component extensions, though, I now get two dialogs presented to the user, the first asking if my application should be trusted, and the second asking if Sun Microsystems should be trusted.
    If I remove all-permissions from the JavaMail component extension, yet request it for the main application (thereby only presenting the user with one confirmation dialog), will I still be able to perform restricted functionality using JavaMail, such as connecting to remote servers?
    Here's what I'm now using, in hopes that it benefits someone else. The main JNLP:
         <resources>
              <jar href="com.example.jar"/>
              <extension name="JavaMail" href="javax.mail.jnlp"/>
         </resources>
    ...javax.mail.jnlp:
    <?xml version="1.0" encoding="UTF-8"?>
    <jnlp spec="1.0+" codebase="http://localhost:8080/" href="javax.mail.jnlp">
         <information>
              <title>JavaMail</title>
              <vendor>Sun Microsystems, Inc.</vendor>
              <description>JavaMail API.</description>
              <homepage href="http://java.sun.com/products/javamail/"/>
         </information>
         <security>
              <all-permissions/>
         </security>
         <resources>
              <jar href="javax.mail.jar"/>
              <extension name="JAF" href="javax.activation.jnlp"/>
         </resources>
         <component-desc/>
    </jnlp>javax.activation.jnlp:
    <?xml version="1.0" encoding="UTF-8"?>
    <jnlp spec="1.0+" codebase="http://localhost:8080/" href="javax.activation.jnlp">
         <information>
              <title>JAF</title>
              <vendor>Sun Microsystems, Inc.</vendor>
              <description>JavaBeans Activation Framework extension.</description>
              <homepage href="http://java.sun.com/products/javabeans/glasgow/jaf.html"/>
         </information>
         <security>
              <all-permissions/>
         </security>
         <resources>
              <jar href="lib/javax.activation.jar"/>
         </resources>
         <component-desc/>
    </jnlp>Garret

  • Able to install the .ipa signed with distribution certificate using iTunes on MacBook Pro. where as the when tried to install using iTune on PC is causing a problem

    Able to install the .ipa signed with distribution certificate using iTunes on MacBook Pro. where as the when tried to install using iTune on PC is causing a problem

    The sound input going to the mic is not going to pipe through the speakers like that.  It doesn't do it because it would cause a feedback loop on itself.  The mic input will take sound and output it to a program or to another pathway (like a VoIP or Facetime call, etc.) but it won't behave like a Karaoke machine if that's what you're thinking.

  • Problem Signing Email with Digital Certificate from Smart Card, Outlook 2013

    Hi there, I'm the IT guy for a small company.  I've configured several people in the company to use their smart cards for email signing through Outlook 2013, but a a few computers are giving me this error:
    "Microsoft Outlook cannot sign or encrypt this message because there are no certificates which can be used to send from the e-mail address '<e-mail address>'. Either get a new digital ID to use with this account, or use the Accounts button to
    send the message using an account that you have certificates for."
    I've been in the Trust Center, I see the signing and encrypting certificates. (SHA-1 and 3DES).  Yet when I try to sign, Outlook always fails on the error.
    For my computer, I was able to fix this by adding a "SupressNameChecks" DWORD set to 1 in the Registry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook.  However, this fix is not working for the other people in the company.
    Any other ideas?  Really pulling my hair out on this one, I've tried everything I could find on the net it seems.

    Hi,
    Please checked “E-mail name” under the section ‘Include this information in alternate subject name” on the Subject Name tab of the certificate template.
    We can export the entrust managed services root CA cert from a working machine and import into the trusted root store of a non-working machine. For detailed steps about it, please refer to:
    How To Import and Export Certificates So That You Can Use S/MIME in Outlook Web Access on Multiple Computers
    http://support.microsoft.com/kb/823503/en-us
    Hope it helps.
    Regards,
    Winnie Liang
    TechNet Community Support

  • HTTPS request signed by client certificate from PL/SQL procedure

    Hi All, please help.
    The PL/SQL procedure connects to different web services, using both HTTP/HTTPS, for HTTPS sever certificates were used. Everything was OK.
    The next service requires client to sign requests with client certificate. I made the client certificate, sign it by CA, store it in Wallet Manager.
    Is here the possibility to send signed HTTPS request from PL/SQL?
    If not, how to do it using Java and encapsulate for PL/SQL?
    Please answer ASAP!!!

    It is pretty straight-forward to make HTTPS requests with UTL_HTTP.
    To do so, you first need to create an Oracle wallet on the database server host with Oracle Wallet Manager. If your database resides on Windows, I believe a short-cut has been created in the Windows menu. On Linux, it can be invoked from $ORACLE_HOME/bin/owm.
    Once the wallet is created, you need to make an additional call to utl_http.set_wallet(<wallet-directory>, <wallet-password>) before any utl_http.request or utl_http.begin_request calls. The <wallet-directory> is the wallet directory where you will find the cwallet.sso and/or ewallet.p12 files, using the format "file:/<wallet-directory>". For example:
    utl_http.set_wallet('file:/home/oracle/wallets/my_wallet/', '123456');
    When an Oracle wallet is created, it is pre-populated with common certificate authorities' certificates (e.g. Verisign). In the event that the server certificate of the HTTPS host is not signed by one of those common certificate authorities, you need to import the additional certificate authority's certificate in your wallet using Oracle Wallet Manager.

  • Jars not signed with same certificat

    Hi,
    I have signed my jars with jarsigner and same certificat. I have verify with jarsigner -verify -cert -verbose.
    But JWS says than my jars are not signed with the same certificat. I don't undestand why.
    Here is the stack :
         at com.sun.javaws.LaunchDownload.checkSignedResourcesHelper(LaunchDownload.java:1023)
         at com.sun.javaws.LaunchDownload.checkSignedResources(LaunchDownload.java:925)
         at com.sun.javaws.Launcher.continueLaunch(Launcher.java:814)
         at com.sun.javaws.Launcher.handleApplicationDesc(Launcher.java:515)
         at com.sun.javaws.Launcher.handleLaunchFile(Launcher.java:218)
         at com.sun.javaws.Launcher.run(Launcher.java:165)
         at java.lang.Thread.run(Thread.java:595)
    How can I know what is the jar with bad certificat ?

    if you set deployment.property file entry:
    deployment.trace.level=all
    you should see some debug output in the console and trace file that might help determine what jar it is (I am assuming you are using javaws 5.0)
    The problem is probably that although you use the same root certificate chan you purchased for each jar file, the entire certificate chain is not the same.
    pleas post the full set of steps you used to sign each jar.
    /Andy

  • Jars signed with revoked certificate

    Hello,
    I have a situation here where i have jars and wars which were signed using jarsigner. The certificate used to sign the jars is now revoked.
    When java runtime loads these jars, it does not throw any errors/exceptions. Is it the right behavior ?
    Is there any way by which I can configure java runtime to contact the CRL and to throw an error while the jar is loaded. The certificate has information
    about CRL distribution point and also has authorityinfo access details. I tried configuring OCSP in java.security file. But still no luck.
    Any information on this will be helpful.
    Thanks in advance

    Hello EJP,
    Thanks for replying.
    Yes the certificate was valid when the jar was signed. Please note that, there was no timestamp put in the signature.
    So now after the certificate has been revoked, if Java runtime tries to load that jar, isn't it the responsibility of Java runtime to make use of the CRL/OCSP information
    of the public key certificate (present in the jar put by the jarsigner when signing) and validate it for revocation ? (Also, in this scenario, what happens if OCSP is enabled in java.security ?) -OR--- Is it the responsibility of the code that makes use of the jar, to verify whether the certificate used for jar signing has been revoked or not ?
    PS:- I have enabled the security settings in java control panel for certificate revocation checking.
    Please let me know if I am wrong or if I am missing something.
    Also i noticed something with jarsigner. In a signed jar, If i delete a few files and then verify its signature using jarsigner, "jar verified" is returned as result. Isn't the jar tampered when I delete a few files from it ? and hence the Hash of its data changes ? and hence verification should fail ?
    One more question, in case of signed applets, if the certificate is revoked, as soon as the browser tries loading the applet, it throws an error saying certificate that was used for signing has been revoked. (provided browser settings and java control panel settings are all properly set). Is this check initiated by the browser OR Java runtime ?
    Thanks a lot

  • Signed PDFs cannot be opened with authentication certificate?

    Hello,
    I have the following problem. I have PDFs that were signed with a certificate from a private CA via Adobe LiveCycle ES2 Verison 9. These PDFs are sent out to users who then need to open and print them. To open the PDFs an authentication certificate is needed. All users have been issued such a certificate from a private CA. The users have Adobe reader version 8 to 11 installed.
    Users who have Adobe reader 9 click to open the PDF, they are then ask how they want to authenticate - via password or certificate. They select the certificate option and are then presented with a list of certificates available (from windows certificate store and adobe application) to choose from. They select the right authentication certificate and the PDF opens without issues.
    All other users who user Adobe Reader 8, 10 and 11 are presented with the authetication screen to select the password or certificate option. They select "Certificate" and the screen jumps back to the authentication screen where they are presented with the same selection. If they select "certificate" again, nothing happens and the PDF does not open. For these readers they are not presented with a list of certificates available to choose from.
    When I now remove the authentication certificate from the computer, and try to open the PDF, I get the authentication screen, select "certificate" and am presented with all available certificates. None of these certificates of course match the one the PDF asks for, so it will also not open.
    The private CA certificates are imported in the windows certificate store as well as the Adobe application.
    Why is Adobe 9 handling the certificate differently then 8, 10 and 11? What changes have to be done to pass authentication in the effected readers?
    I am looking for forward to any suggestions.
    Thank you,
    Nadine

    AFAIK there were no code changes in this area between XI and DC, Are you doing all your processing on the same platform (Mac) or does the problem manifest when you move encrypted PDF between Mac and Windows. As I recall the problem that I was talking about manifest when encrypted PDFs were moved between platforms. If you do move your PDFs between platforms, then which Acrobat version do you use on which platform? Is it Acrobat DC on both Mac and Windows? On which platform/Acrobat version do you encrypt and on which platform/Acrobat version you try to open?

  • Java Webstart application problem with TLS certificate revocation checks (Java 1.7.0_76)

    We have a problem with our Java Web Start Application regarding the TLS certificate revocation check:
    The application is running on a server within a wide area network which is separated from the internet.
    The application users have access to the WAN, and also access to the internet over some corporate proxy/firewall.
    The user has to enter, for example "https://my-site.de/myapp/ma.jnlp" within a webbrowser or could also call  "javaws https://my-site.de/myapp/ma.jnlp" to start the application client.
    The webserver has a certificate from a trusted certificate authority. This certificate seems to be ok, the browser is even configured to perform OCSP status check.
    The application files are signed with a certificate from another trusted certificate authority. This certificate seems also to be ok. Regarding this certificate there
    are no problems with certificate revocation checks.
    The problem is, while starting the application client there is a message box which tell us something like "the connection to this website ist not trustworthy",
    "Website: https://my-site.de:80", and something about an invalid certificate, meaning the webserver certificate.
    Obviously the jvm runtime, which is executed on the users workstation, tries to perform a revocation check for the webservers certificate, but this fails because
    it cannot fetch the certificate under https://my-site.de:80.
    The application will execute without further problems after that message but the users are very concerned about the "invalid" certificate, so here are my questions:
    - Why is the application trying to get the webserver certificate over Port 80. Our application developers told me, there is no corresponding statement. Calling this address
      has to fail while "https://my-site.de:443" or "https://my-site.de" would not have a problem.
    - Is there a way to make the application go on without performing a tls revocation check? I mean, by adjusting the application sourcecode and not by configuring the users Java Control Panel.
      While disabling the TLS Certificate Revocation check in the Java Control Panel, the Webstart Application executes without a warning message, but this is not a workable solution for
      our users.
    It would be great if someone can help me with a hint so i can send our developers into the right direction;-)
    Many thanks!
    This is a part from a java console output after calling "javaws -verbose https://my-site.de/myapp/"
    (sorry for this is in german... and also my english above)
    network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    security: OCSP Response: GOOD
    network: Verbindung von http://ocsp.serverpass.telesec.de/ocspr mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    security: UNAUTHORIZED
    security: Failing over to CRLs: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
    network: Cacheeintrag gefunden [URL: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl, Version: null] prevalidated=false/0
    cache: Adding MemoryCache entry: http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl
    cache: Resource http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl has expired.
    network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird hergestellt
    network: ResponseCode für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: 200
    network: Codierung für http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl: null
    network: Verbindung mit http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl trennen
    CacheEntry[http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl]: updateAvailable=true,lastModified=Tue Mar 24 10:50:01 CET 2015,length=53241
    network: Verbindung von http://crl.serverpass.telesec.de/rl/TeleSec_ServerPass_CA_1.crl mit Proxy=HTTP @ internet-proxy.***:80 wird
    network: Verbindung von socket://ldap.serverpass.telesec.de:389 mit Proxy=DIRECT wird hergestellt
    security: Revocation Status Unknown
    com.sun.deploy.security.RevocationChecker$StatusUnknownException: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
        at com.sun.deploy.security.RevocationChecker.checkOCSP(Unknown Source)
        at com.sun.deploy.security.RevocationChecker.check(Unknown Source)
        at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
        at com.sun.deploy.security.RevocationCheckHelper.doRevocationCheck(Unknown Source)
        at com.sun.deploy.security.RevocationCheckHelper.checkRevocationStatus(Unknown Source)
        at com.sun.deploy.security.X509TrustManagerDelegate.checkTrusted(Unknown Source)
        at com.sun.deploy.security.X509Extended7DeployTrustManagerDelegate.checkServerTrusted(Unknown Source)
        at com.sun.deploy.security.X509Extended7DeployTrustManager.checkServerTrusted(Unknown Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source)
        at com.sun.deploy.net.HttpUtils.followRedirects(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doRequest(Unknown Source)
        at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.checkUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.isUpdateAvailable(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
        at com.sun.deploy.cache.ResourceProviderImpl.getResource(Unknown Source)
        at com.sun.deploy.model.ResourceProvider.getResource(Unknown Source)
        at com.sun.javaws.jnl.LaunchDescFactory._buildDescriptor(Unknown Source)
        at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
        at com.sun.javaws.jnl.LaunchDescFactory.buildDescriptor(Unknown Source)
        at com.sun.javaws.Main.launchApp(Unknown Source)
        at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
        at com.sun.javaws.Main.access$000(Unknown Source)
        at com.sun.javaws.Main$1.run(Unknown Source)
        at java.lang.Thread.run(Unknown Source)
        Suppressed: com.sun.deploy.security.RevocationChecker$StatusUnknownException
            at com.sun.deploy.security.RevocationChecker.checkCRLs(Unknown Source)
            ... 35 more
    Caused by: java.security.cert.CertPathValidatorException: OCSP response error: UNAUTHORIZED
        at sun.security.provider.certpath.OCSP.check(Unknown Source)
        at sun.security.provider.certpath.OCSP.check(Unknown Source)
        at sun.security.provider.certpath.OCSP.check(Unknown Source)
        ... 36 more
    security: Ungültiges Zertifikat vom HTTPS-Server
    network: Cacheeintrag nicht gefunden [URL: https://my-site.de:80, Version: null]

    Add the JSF Jars to the WEB-INF/lib directory of the application. If still getting error add to the CLASSPATH variable in the startWebLogic script in the domain/bin directory.

  • How to specifiy the provider to be Oracle.ManagedDataAccess.Client when creating a dynamic connection string with EF Code First from Database?

    I am trying to use the relatively new Code First from Database with the newest EF (6.x) and on an Oracle database (11g, but I have installed the newest ODTwithODAC). First of all, it works fine as long as the connection string is inside the App.Config file. But when I try to build it dynamically in the C# code (or rather, statically at the moment) it fails. I have it working with a dynamically built connection string when doing Model from Database though, so I'm at a loss right now.
    First, I have created a second constructor for the context class that takes a string and does base(connectionString). Then I build the connection string via
    OracleConnectionStringBuilder oracleBuilder = new OracleConnectionStringBuilder();
    oracleBuilder.DataSource = "TEST.BLA.COM";
    oracleBuilder.UserID = "ABC";
    oracleBuilder.Password = "abc";
    oracleBuilder.PersistSecurityInfo = true;
    string connection = oracleBuilder.ToStrin();
    Now trying to open an EntityConnection by giving to it this provider-specific connection string (or even the static one from the App.Config) doesn't work; I get "keyword not supported: user id"). Trying it by creating a context and giving this connection string doesn't work either. I'm pretty sure that this is because I didn't specify the provider to use; after all, it should use the Oracle.ManagedDataAccess.Client provider and not an SQL Server based one.
    I then tried to get around this by using an EntityConnectionStringBuilder on top and specifying the provider keyword there, but then I get "keyword not supported: provider" when using it in the context constructor, and "the 'metadata' keyword is always required" when using it with the EntityConnection constructor.
    As I said above: I bet it's the provider that I have to specify somehow, but I don't know how. The code that does work is the following:
    using (var context = new Model())
    context.Database.Connection.Open();
    context.Database.Connection.Close();
    When I read context.Database.Connection.ConnectionString, it is exactly the provider-specific connection string I created above, but I don't know where to specify the provider again. Do you know of any way to do this? Certainly there must be one.
    PS: I have also posted this question on http://stackoverflow.com/questions/27979454/ef-code-first-from-database-with-managed-oracle-data-access-dynamic-connection because it is quite urgent and I'd like to use Code First from Database. Otherwise I'd have to go "back" to using Model from Database again, which is not ideal because we have updatable views where the .edmx-file has to be edited after every reload of the model, while with Code First from DB inserting into the view automatically works.

    I am trying to use the relatively new Code First from Database with the newest EF (6.x) and on an Oracle database (11g, but I have installed the newest ODTwithODAC). First of all, it works fine as long as the connection string is inside the App.Config file. But when I try to build it dynamically in the C# code (or rather, statically at the moment) it fails. I have it working with a dynamically built connection string when doing Model from Database though, so I'm at a loss right now.
    First, I have created a second constructor for the context class that takes a string and does base(connectionString). Then I build the connection string via
    OracleConnectionStringBuilder oracleBuilder = new OracleConnectionStringBuilder();
    oracleBuilder.DataSource = "TEST.BLA.COM";
    oracleBuilder.UserID = "ABC";
    oracleBuilder.Password = "abc";
    oracleBuilder.PersistSecurityInfo = true;
    string connection = oracleBuilder.ToStrin();
    Now trying to open an EntityConnection by giving to it this provider-specific connection string (or even the static one from the App.Config) doesn't work; I get "keyword not supported: user id"). Trying it by creating a context and giving this connection string doesn't work either. I'm pretty sure that this is because I didn't specify the provider to use; after all, it should use the Oracle.ManagedDataAccess.Client provider and not an SQL Server based one.
    I then tried to get around this by using an EntityConnectionStringBuilder on top and specifying the provider keyword there, but then I get "keyword not supported: provider" when using it in the context constructor, and "the 'metadata' keyword is always required" when using it with the EntityConnection constructor.
    As I said above: I bet it's the provider that I have to specify somehow, but I don't know how. The code that does work is the following:
    using (var context = new Model())
    context.Database.Connection.Open();
    context.Database.Connection.Close();
    When I read context.Database.Connection.ConnectionString, it is exactly the provider-specific connection string I created above, but I don't know where to specify the provider again. Do you know of any way to do this? Certainly there must be one.
    PS: I have also posted this question on http://stackoverflow.com/questions/27979454/ef-code-first-from-database-with-managed-oracle-data-access-dynamic-connection because it is quite urgent and I'd like to use Code First from Database. Otherwise I'd have to go "back" to using Model from Database again, which is not ideal because we have updatable views where the .edmx-file has to be edited after every reload of the model, while with Code First from DB inserting into the view automatically works.

  • Import and trust a self-signed CA certificate from the Terminal

    Hello there,
    i have a problem: I would like to import and trust a self-signed CA(root) certificate from the Terminal to the System.keychain.
    My request is to create a installation script to install the Cisco AnyConnect VPN Client and the needed certificates.
    For the import i have used the following command:
        sudo security import certificate.cer -k "/Library/Keychain/System.keychain" -A
        The Option "-A" says:
    Allow any application to access the imported key without warning (insecure, not recommended!) <- From the Mac Developer Library
    The command reportet: 1 certificate is importet ... but ... the certificate is not trusted.
    What do i need to do to set this certificate as trustworthy at the terminal?
    Thanks for your help and best regards
    Benjamin
    P.S. The command: sudo security add-trusted-cert -d -r trustRoot -k “/Library/Keychains/System.keychain” “/private/tmp/certs/certname.cer” doen't run, i get an error message. Found on http://derflounder.wordpress.com/2011/03/13/adding-new-trusted-root-certificates -to-system-keychain/

    Hello Linc Davis,
    thanks for your answer and sorry for my mistake, because i had already changed the last argument but for this discussion i had only copy this example.
    But your answer show me the right way, big thanks.
    I had entred the following command (see the last argument):
         sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Downloads/mycert.cer"
    ... and i get the following message:
        ***Error reading file ~/Downloads/mycert.cer
         Error reading file ~/Downloads/mycert.cer
    Today i changed the last argument to:
         /Users/User/Downloads/mycert.cer
    and its run.
    Many thanks!
    Benjamin

  • Computer certificates expiring within 6 weeks disappearing from machines when computer certificates from two certificate authorities are present

    2008 R2 single tier enterprise certificate authority with root certificate expiring within 6 weeks, also domain controller
    2012 R2 single tier enterprise certificate authority with root certificate valid for more than the next year, also domain controller
    Both servers are approved as certificate authorities for the domain and can issue computer certificates using the computer certificate template. There is a group policy object applied to all workstations that contains an automatic computer certificate request,
    but the actual "certificate services client auto-enrollment" element is "not configured". This process seems to work like a round robin in that computers with no certificate can wind up with a certificate from either certificate
    authority. I need all PCs to have both certs for a DirectAccess migration. I have successfully used SCCM to ensure all PCs have both certificates using compliance rules and a script using certreq.exe.
    A machine will keep both certs until the older computer certificate moves into the 6 week window of expiration, then it gets purged. I have observed this behavior for over a month, even when the CA root certificate wasn't so close to expiring. I
    can't figure out what setting is triggering the purge, but need to stop it. Maybe it's coming from default settings in local machine policy for an element that should be disabled in the group policy object supplying the automatic certificate request?
    The worst part of this issue is that I can't recreate the purging behavior with gpupdates or restarts on my test machines.

    You should not be using Automatic Certificate Request Service (ACRS) for this - it was designed for Windows 2000 and is generally deprecated. Secondly, the reason it is acting like a round-robin as you describe it, is that templates are generally configured
    to attempt to renew within 6 weeks of their expiration. Since the 2008 R2 CA is expiring within 6 weeks, it cant issue anything longer than its own remaining lifetime. It is a well known issue that issuing a certificate within the renewal period will cause
    problems.
    What you should do it use AutoEnrollment and issue a certificate with a very small renewal period (1 week perhaps) by creating a custom V2 template and issuing that from your 2008 R2 CA. Then on the 2012 R2 CA you will need ANOTHER template, as the computer
    will only enroll for a certificate from each template. This one can be configured with a normal lifetime and renewal period.
    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com

  • Sign with a smartcard

    hello, Following the migration of the acrobat reader version with the 11.0.9 release, we have seen a regression on the ability to sign a pdf document with an integrated smart card certificate. The 11.0.8 version allowed to do this. Are you aware of this regression? The certificate has the key usage attribute: critical digitalSignature

    Hi,
    You can find somes details about the problem to sign with a certificate embedded in the smartcard.
    For your information, find somes details about the properties of the certificate embedded with the command openssl x509 -in file -txt :
               Netscape Cert Type:
                    SSL Client
                X509v3 Extended Key Usage:
                    TLS Web Client Authentication, Microsoft Smartcardlogin
                X509v3 Key Usage: critical
                    Digital Signature
    In the second point; The return of the information given by the commands CertUtil –SCInfo is :
    0: Dell Dell Smart Card Reader Keyboard 0
      1: Gemplus USB Smart Card Reader 0
    --- Lecteur : Dell Dell Smart Card Reader Keyboard 0
    --- Statut : SCARD_STATE_PRESENT | SCARD_STATE_INUSE
    --- Statut : La carte est partagée par un autre processus.
    ---   Carte : Axalto Cryptoflex .NET
    ---    ATR :
         3b 16 96 41 73 74 72 69  64                        ;..Astrid
    --- Lecteur : Gemplus USB Smart Card Reader 0
    --- Statut : SCARD_STATE_EMPTY
    --- Statut : Aucune carte.
    ---   Carte :
    And the configuration of the driver of the smartcard is Gemalto minidriver for .NET Smart Card
    Driver provider : Gemalto / Driver Date : 04/06/2011 / Driver version : 8.3.13 / Driver signature : Microsoft Windows Hardware Compatibility Publisher
    a-   When i Checking the capabilities of the adobe reader XI version 11.0.09 to read the x509 certificate, the adobe reader is able to read the x509 Certificate. It s possible to check that with information about the certificate in the box approved identity.
    in a second window confirms that the certificate is able to sign a document. In this way , will to try to sign a test file.
    For that, we take a test file and we go on the menu “ File and Sign”. We have a box for draw a square for sign.
    First problem, a box window don’t present my certificate embedded the SCard. We have only the software certificate which is presented.
    In this way, we try to register my card in the store of adobe reader by create a ID. A window appear with a peripheral connected to the computer.
    But the result is no really good and why have a message that adobe is not able to find the hardware token.
    "Acrobat None normally found new digital ID. If your digital ID is on a hardware token, verify that it is plugged in and its interface is configured correctly. Contact your system administrator for further assistance."
    with the previous version of adobe Reader, we have the capabilities to sign the file and the result is :
    Version 9.0.0 - Detail of the signature: The signature is created with Abobe Reader 9.0.0   - the  Hash is SHA1
    Version 11.0.7 - Detail of the signature: The signature is created with Abobe Reader 11.0.7   - the  Hash is SHA256
    If i resume with the version 11.0.9, the connection with the smartcard driver is not etablish, but it is possible to read the certificat with the windows store.
    Thanks of for yours feedback on this problem

Maybe you are looking for